The security system is designed to protect a computer installation with which it is associated against abnormal computer actions of users (i.e. both insiders who are entitled to use the installation normally and outsiders who must have intruded to use the installation at all), whenever such actions are likely to give rise directly or indirectly to a breach of confidentiality, of integrity, and/or of availability of data and services from the computer installation.
In the context of a security system as mentioned above, the facility is designed to detect such abnormal computer actions that can be considered as constituting intrusions of insiders and a fortiori of intruding outsiders, and also to detect the people implied in such intrusions or suspected of being so implied.
Numerous present-day computer installations, be they provided with centralized processor units or be they organized in networks interconnecting geographically distributed processor units, have various access points for serving their users. The number of such points and the ease with which they are often accessible, requirements necessary for running such computer installations, have the drawback of facilitating attempts at intrusion by people who are not authorized users, and attempts by users of any kind, whether acting alone or in concert, to perform computer operations which such user(s) should not be capable of performing, legitimately.
It is known that detecting intrusions into a computer installation and identifying the users performing illegal actions can be attempted by an approach that is statistical or neural. To this end, each current item of surveillance data which corresponds to a computer action of a subject on an object is compared algorithmically with usual user behavior, which may be represented either by a previously established statistical profile, or by being memorized in a neural network.
That is not completely satisfactory, insofar as the notions of "unusual" behavior and of "intrusive" behavior do not coincide, and in any event it is possible that intrusive behavior may be memorized wrongly, as acceptable normal behavior.
It is also known to make use of an expert system, in particular in association with the preceding method, to attempt to detect intrusions by taking surveillance data supplied by a security system of the computer installation and by applying knowledge thereto relating to potential scenarios for attacking the computer installation. That is not fully satisfactory either, since that method only detects intrusions that correspond to attack scenarios that have previously been stored.
Insofar as each of the approaches briefly outlined above relies on behavior that is limited to elementary actions at operating system level, e.g. reading a file, it is not possible to take account of unacceptable operations that result from complex activity, in particular operations that occur at application level. It is then not possible to draw justified conclusions from the data obtained about the intrusion state of a computer installation that is under surveillance and about the potential or real participation of users in reprehensible operations.